RSA SecurID breach continues to raise security questions

Does the RSA SecurID two-token authentication system include a back door that was built in at the request of the U.S. government in exchange for letting RSA export SecurID?

"RSA cut a deal with the government to provide a back door for surveillance work," say some industry analysts, who asked not to be identified. They say the trade-off let RSA export SecurID. RSA today would not confirm or deny this, indicating it was limiting its discussion of SecurID since last week's disclosure of a network breach where "certain information" about SecurID was stolen.

"Certainly possible," says security technology expert and author Bruce Schneier. "Back in the '80s, this sort of thing was popular. Remember key escrow? Remember the back door in Lotus Notes? SecurID is old enough that the NSA would have asked and that export might have hinged on it." But Schneier says he has no direct knowledge of that.

Others say they simply find it too hard to believe such a back door exists in RSA SecurID.

"It's highly unlikely," says Jon Oltsik, principal analyst at Enterprise Strategy Group. If that were true, however, anyone using SecurID would be at risk, he notes. But Oltsik reiterates he considers the idea of a back door in SecurID to not be credible.

RSA indicated that legal constraints brought about by the disclosed breach are holding it back from confronting this question of a back door to SecurID.

But if there is any back door, the implications are particularly troubling since RSA last week admitted, without providing much detail, that "certain information" related to SecurID was stolen by a stealthy attack into RSA's network. Art Coviello, RSA executive chairman, referred to the attack as an "Advanced Persistent Threat," a term meaning a stealthy hacker break-in to steal sensitive corporate information.

The industry analysts, who asked that their names not be disclosed, say it's their firm conviction that RSA SecurID has a back door available for government surveillance with the involvement of the National Security Agency (NSA). They believe this is the main reason why RSA made such cryptic statements last week about the breach RSA says is tied specifically to the product SecurID, the two-factor authentication system based on servers and tokens to generate one-time passwords.

Many are, in fact, bewildered by the statement Coviello made on March 17: "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

Many are finding RSA's statements about whether SecurID is vulnerable or not hard to understand. Yesterday, RSA issued another "RSA SecurCare Online Note" to SecurID customers as an "update" to "help customers further assess their risk and prioritize their remediation steps in relation to this event."

In its "Incident Overview," which was part of the update, RSA stated, "To compromise any RSA SecurID deployment, an attacker needs to possess multiple pieces of information about the token, the customer, the individual users and their PINs. Some of this information is never held by RSA and is controlled only by the customer. In order to mount a successful direct attack, someone would need to have possession of all this information."

The RSA advisory yesterday to SecurID customers urged them to be particularly active in making sure Help Desk administrators "verify the user's identity before performing any Help Desk operations on their behalf" and to "educate your users on a regular basis about how to avoid phishing attacks."

The advisory also urged close monitoring of Authentication Manager logs for "abnormally high rates of failed authentications and/or next Tokencode Required" events. "If these types of activities are detected, your organization should be prepared to identity the access point being used and shut them down."

RSA also indicates that internally in its business of manufacturing and distributing RSA SecurID tokens and other products, "some operations are interrupted" while RSA seeks to "harden" its environment but that the company expects "to resume distribution soon and will share information on this when available."

Some analysts are also asking questions about EMC RSA Access Manager Server 5.5.x, 6.0.x and 6.1.x, which was reported into the National Vulnerability Database maintained by the National Institute of Standards and Technology (NIST) at the same time last week as RSA was making the painful disclosure about how a hacker had broken into its network.

The vulnerability summary for CVE-2011-0322 said an "unspecified vulnerability" was identified in these versions of EMS RSA Access Manager Server, allowing "remote attackers to access resources via unknown vectors." RSA said it has a fix for the problem, and an RSA spokesman said it's simply a coincidence that information about Access Manager Server and SecurID were announced at the same time.

"It's totally unrelated to SecurID" and the breach disclosure, a spokesman said, adding that the Access Manager Security report in the National Vulnerability Database represents a "normal product vulnerability" that is routinely found and gets reported and fixed.